I.  MANAGEMENT  SUMMARY 


The  purpose  of  this  interim  report 
is  to  summarize  the  results  of  our  survey 
and  documentation  of  present  Navy  internal 
control  and  auditing  practices  related  to 
distributed  systems  and  present  our 
research  findings  on  the  impact  of 
distributed  systems  on  internal  control. 


Determine  the  impact  of 
distributed  systems  and 
related  internal  controls  on 
the  auditor's  study  and 
evaluation  of  the  system  of 
internal  control 

Identify  computer  auditing 
techniques  related  to 
distributed  systems  and 
minicomputers. 


The  overall  objective  of  this 
engagement  is  to  assist  the  Navy  in 
developing  improved  internal  controls  and 
EDP  audit  capability  in  the  area  of 
distributed  systems  and  minicomputers.. 
This  management  summary  is  designed  to  \ 
provide  a  concise  explanation  of  this 
report's  contents  and  organization. 

1.  ENGAGEMENT  OBJECTIVES 

The  Office  of  Naval  Research  and  the 
Navy  Comptroller's  Office  are  interested 
in  researching  management  technology  for 
the  purpose  of  developing  improved 
financial  management  in  the  Navy.  One  of 
the  most  significant  trends  in  financial 
management  systems  is  the  development  and 
use  of  minicomputers  and  distributed 
systems.  The  thrust  of  the  project  deals 
with  research  on  the  impact  of  developing 
EDP  technology  in  this  area  on  internal 
controls  and  auditing. 


2.  STUDY  APPROACH 

Our  overall  approach  to  accomplish 
these  objectives  appears  in  the  task  plan 
summarized  in  Exhibit  1-1. 

(1)  Report  Scope 

This  report  presents  the 
results  of  our  efforts  during  the 
execution  of  Task  2  (Survey  and 
Document  Present  System  of  Internal 
Control  and  Auditing  Practices 
Related  to  Distributed  Systems)  and 
Task  3  (Research  the  Impact  of 
Distributed  Systems  on  Internal 
Control)  of  Part  II  (Conduct  Field 
Work)  of  our  technical  approach. 

.  Survey  and  Document  Present 
System  of  Internal  Control  and 
Auditing  Practices  Related  to 
Distributed  Systems 


Specific  objectives  of  this  project 
include: 


Develop  a  computer  audit 
checklist  to  enable  the  Navy 
to  efficiently  audit 
distributed  systems 


Determine  the  impact  of 
distributed  systems  on 
internal  controls.  Identify 
internal  control  practices  and 
procedures  compatible  with 
this  new  technology 
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The  original  purpose  of  this 
task  was  to  familiarize 
ourselves  with  distributed 
systems  and  related  internal 
controls  within  the  Navy. 
However,  our  preliminary 
survey  of  internal  controls 
and  distributed  systems  in  the 
Navy,  indicated  that  there  were 
no  non-tactical  distributed 
processing  systems 
operational.  As  a  result,  a 
revision  of  our  original  task 
plan  was  required.  Our  initial 
task  plan  had  called  for  the 
documentation  of  the  present 
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system  of  internal  controls 
and  audit  practices  related  to 
distributed  systems.  Instead 
of  documenting  existing 
systems  and  practices,  we 
revised  our  approach  and 
performed  a  more  detailed 
review  of  developing 
distributed  processing 
systems  and  the  Navy's  ADP 
system  development  process. 
After  gaining  this  required 
background,  we  developed  a 
system  review  document  and 
selected  two  Navy  distributed 
systems  currently  under 
development  for  more  in-depth 
review.  The  detailed  results 
of  our  preliminary  survey  were 
presented  in  a  prior  report 
dated  February,  1980. 

.  Research  the  Impact  of 

Distributed  Systems  on 
Internal  Control 

The  purpose  of  this  task  was 
to  identify  the  salient 
characteristics  of 
distributed  systems  and 
analyze  these  characteristics 
in  light  of  traditional 

internal  controls.  The 
determination  of  the  potential 
impact  of  distributed  systems 
on  Navy  internal  controls 
relied  substantially  on  the 
information  developed  during 
Task  2  regarding  the  Navy's  EDP 
environment  and  developing 
distributed  systems. 

(2)  Study  Methodology 

During  the  conduct  of  Tasks  2 

and  3  the  following  research 

techniques  were  employed: 

.  Briefings  -  We  attended 

briefings  at  several  Navy 
organizations  with  the  primary 
objective  of  obtaining  a 


general  understanding  of  the 
Navy's  EDP  environment  and 
audit  objectives. 

Interviews  (Navy  Personnel)  - 
We  conducted  interviews  with 
representatives  of  the 
following  organizational 
units: 

-  Office  of  Naval  Research 
Naval  Audit  Service 

-  Navy  Comptroller 

Naval  Data  Automation 
Command 

-  Navy  Regional  Data 
Automation  Command 

-  Selected  Naval  Data 
Processing  Installations 

The  purpose  of  these 
interviews  was  to  obtain  the 
necessary  organizational, 
systems,  and  internal  control 
information  to  properly 
understand  (and  document)  the 
Navy's  EDP  environment; 
internal  control  practices; 
computer  audit  capability  and 
objectives;  and  developing 
distributed  systems. 

Interviews  (Non-Navy 
Personnel)  -  Research  into 
distributed  systems  and 
related  internal  control  was 
supported  in  part  through 
interviews  with  the  following: 

-  Arthur  Young  &  Company's 
National  Computer 
Auditing  Coordinator 


Arthur  Young  &  Company's 
Computer  Auditors 


-  Members  of  selected  AICPA 
committees  and  task  forces 

Representatives  of 
computer  equipment 
manufacturers. 

The  purpose  of  these 
interviews  was  to  supplement 
the  written  material  research 
conducted  during  this  effort 
and  to  ensure,  to  the  extent 
possible,  the  currency  of  our 
research  in  a  rapidly 
developing  technological area. 

Written  Materials  -  We 
obtained  and  reviewed 
regulations,  EDP  standards, 
systems  documentation, 
periodicals  and  other 
available  documentation  to 
support  our  research  effort  in 
both  developing  our 
understanding  of  the  Navy's  EDP 
environment  and  evaluating  the 
impact  of  distributed  systems 
on  internal  controls. 


environmental  controls)  which  are 
concerned  with  overall  organization, 
policies,  procedures,  and  controls  common 
to  all  EDP  applications. 


To  develop  the  proper  framework  for 
analysis,  this  volume  addresses  two 
variables:  1)  the  characteristics  of  a 
distributed  environment  and  2)  general 
and  specific  procedures  normally 
associated  with  a  good  system  of  internal 
control.  The  definition  of  the 
distributed  environment  discusses,  the 
possible  distributed  functions  and 
processes  of  distributed  processing 
systems,  as  well  as  common  data 
distribution  patterns  and  alternative 
communications  networks. 


The  discussion  on  internal  controls 
identifies  traditional  general  internal 
controls  (e.g.  policies  and  procedures 
related  to  organization  and 
administration,  operations,  and  system 
development  and  maintenance).  These  two 
variables  delineate  the  analysis 
framework  and  are  defined  in  Chapter  I  of 
Volume  2. 


.  Other  -  During  the  course  of 
the  engagement,  we  developed 
and  utilized  questionnaires 
and  review  guides.  The 
objectives  of  these  documents 
were  to  guide  our  staff's  data 
gathering  efforts  during  Task 
2  and  to  ensure  the 
completeness  and  relevance  of 
the  documentation  obtained 
regarding  the  Navy's  EDP 
environment  and  developing 
distributed  systems. 

3.  VOLUME  2  -  IMPACT  OF  DISTRIBUTED 
SYSTEMS  ON  INTERNAL  CONTROLS 

The  purpose  of  Volume  2  is  to 
present  the  results  of  our  research 
regarding  the  impact  of  the  distributed 
system  environment  on  internal  controls 
(Task  3)«  The  discussion  in  this  volume 
addresses  general  EDP  procedures  (e.g. 


This  framework  provides  the  basis 
for  the  analysis  performed  in  Chapter  II 
of  Volume  2  where  the  potential 
characteristics  of  distributed  systems 
are  compared  to  commonly  applied  general 
internal  control  procedures.  The  analysis 
also  describes  the  impact  which  specific 
distributed  system  characteristics  are 
likely  to  have  on  general  internal  control 
procedures.  Chapter  II  continues  with  a 
discussion  of  specific  internal  control 
procedures  which  are  particularly  suited 
to  a  distributed  system  environment  and 
concludes  with  a  discussion  of  the  impact 
of  distributed  systems  on  audit 
procedures. 

Finally,  Chapter  III  summarizes  our 
major  observations  and  recommendations 
related  to  the  analysis  described  above. 
A  summary  of  our  observations  is  presented 
below: 
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Distributed  Systems  Do  Mot 
have  an  Impact  on  the  Basic 
Objectives  of  Internal  Control 

Effective  Control  over  the  EDP 
Function  is  More  Difficult  in 
a  Distributed  System 
Environment 

Total  System  Coordination  is 
Essential  in  a  Distributed 
System  Environment 

Internal  Controls  in  a 
Distributed  System 
Environment  are  Heavily 
Dependent  on  the  System's 
Design 

The  Characteristics  and 
Requirements  of  Specific 
Applications  have  a  Direct 
Impact  on  the  System  of 
Internal  Control 

Personnel  and  Staffing 
Considerations  Significantly 
Affect  the  Development  of 
Internal  Controls  in  a 
Distributed  System 
Environment 


Based  on  the  analysis  performed  in 
Chapters  I  and  II,  we  developed  the 

following  preliminary  recommendations: 

.  Computer  Systems  and  EDP 

Internal  Control  Training 
Should  be  required  for  All 
Auditors 

.  The  Design  of  Distributed 

Systems  Should  Place  Added 
Emphasis  on  Internal  Control 
Considerations 

.  Standards  and  Procedures 

Should  Be  Developed  to  Ensure 
Adequate  System-Wide  Controls 
over  Distributed  Processes, 
Related  Data  Bases  and  the 
Network  Configuration 

.  System  Design  Priority  Should 

Be  Given  to  Controls  over  the 
Operating  System  as  a  Key 
Element  in  the  Overall  Control 
of  Distributed  Systems 

.  The  Development  and 

Implementation  of  Distributed 
Systems  Will  Require  More 
User-Oriented  Documentation 


The  Risk  of  Unauthorized  Data 
Access  and  Manipulation  is 
Significantly  Increased  in  a 
Distributed  Environment 

Distribution  Systems  often 
provide  Internal  Control 
Procedure  Alternatives  in  the 
area  of  Contingencies  and 
System  Failure 

Specific  Characteristics  of 
Distributed  Systems  may  be 
used  to  Strengthen  Internal 
Controls 

The  Internal  Audit  Function  is 
Significantly  Affected  by  the 
Characteristics  of 
Distributed  Systems. 


Emphasis  Should  be  Placed  on 
the  Training  of  all  Personnel 
Involved  in  the  EDP  Function 

Operating  Controls  Should  Be 
Cognizant  of  the  System's  Total 
Coordination  Requirements 

Procedures  should  be  Developed 
to  Ensure  the  System-Wide 
Consistency  of  Duplicated  Data 
Bases 

Staffing  Decisions  and 
Specific  Personnel 
Assignments  Should  Consider 
the  Related  Impact  of  these 
Decisions  on  Internal  Controls 
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.  Decisions  to  Self-Insure 
Against  Catastrophe  and 
Contingency  Plans  Should  Be 
Centrally  Determined  and 
Properly  Documented. 

A  more  detailed  discussion  of  our 
observations  and  recommendations  appears 
in  Volume  2  of  this  report. 

4.  VOLUME  3  —  NAVY  ADP  ENVIRONMENT 

Volume  3  presents  the  results  of  our 
efforts  related  to  Task  2,  (Part  II)  of 
our  project  task  plan.  This  task  was 
designed  to  enable  our  project  team  to 
develop  an  understanding  of  the  Navy's 
existing  and  developing  ADP  internal 
controls  and  the  current  practices  of  the 
Naval  Audit  Service.  This  knowledge  was 
needed  to  guide  our  research  efforts  and 
provide  a  basis  from  which  recommendations 
suitable  to  the  Navy  internal  control 
environment  could  be  made. 


NAVDAC  and  the  ADP  System 
Development  Process 

Another  area  of  understanding 
which  was  required  to  conduct 
our  research  was  knowledge 
concerning  the  Navy's  System 
Development  process.  Our 
objective  was  to  gain  insight 
into  the  system  development 
guidelines,  practices  and 
procedures  followed  in  the 
Navy.  In  order  to  develop  this 
knowledge,  we  met  with  various 
members  of  the  Naval  Data 
Automation  Command  (NAVDAC), 
reviewed  pertinent 
documentation,  and  developed  a 
chronology  of  the  AIS 
Development  and  Approval 
process  within  the  Navy. 

The  NARDAC  Operating 
Environment 


This  section  provides  a  concise 
explanation  of  the  contents  of  Volume  3 
and  our  objective  in  reviewing  each 
research  area.  The  remainder  of  this 
section  discusses  each  chapter  and  the 
appendices  contained  in  Volume  3  of  our 
report. 


Naval  Audit  Service 


In  conducting  our  reserch  it 
was  important  to  understand 
the  organization  that  will 
ultimately  use  the  results  of 
our  research  efforts.  This 
knowledge  was  necessary  to 
develop  recommendations 
tailored  to  the  needs  of  the 
Navy  and  which  are  realistic 
within  the  Navy's  operating 
environment.  We  obtained 
information  on  the  Audit 
Service,  its  organization  and 
activities,  met  with  various 
members  of  the  Audit  Service 
and  reviewed  pertinent 
documentation. 


Controls  which  operate  in 
computer  centers  are  needed  to 
complement  other  internal 
controls  related  to  individual 
applications  as  well  as 
controls  over  the  system 
development  process.  The 
NARDAC  organization  was 
selected  as  representative  of 
the  Navy's  ADP  operating 
environment.  Our  purpose  was 
to  understand  the  policy, 
procedures,  and  organization 
used  in  the  Navy  to  control 
data  processing  center 
operations.  Our  intention  was 
not  to  review  NARDAC 
operations  in  detail,  but  to 
understand  the  organizational 
structure,  security 
environment,  and  other 
internal  controls  related  to 
the  NARDAC  operating 
environment. 
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Systems  Surveys 

Finally,  we  were  interested  in 
identifying  the  types  of 
advanced  systems  the  Navy  is 
developing.  Since  no  non- 
tactical  distributed  systems 
were  operating  in  the  Navy  vAnen 
our  project  began,  we  conducted 
a  survey  of  systems  currently 
under  development.  The 
objective  of  this  task  was  to 
identify  systems  under 
development  which  had 
characteristics  that  were 
compatible  with  our  analysis 
of  advanced  systems. 

Systems  Descriptions 

After  oanpleting  our  system 
surveys,  we  selected  IDA/EMS 
and  PASS  Ehase  Il/SDS  for  more 
in-depth  reviews.  Our 
objective  was  to  understand 
the  control  features  of  these 
systems  and  to  document  the 
flow  of  data  through  these  two 
systems.  This  system  knowledge 
gave  our  project  team  a  sound 
basis  for  evaluating  the  types 
of  controls  which  would  be  most 
effective  in  the  application 
systems  the  Navy  was 
developing.  We  met  with 
members  of  design  agencies, 
project  management  personnel, 
and  reviewed  system 
documentation  in  developing 
our  understanding  of  these 
systems. 

Observations  and  Conclusions 

Below  we  present  an  overview 
of  key  observations  and 
conclusions  we  have  made 
during  the  conduct  of  this  task 
and  discuss  items  which  impact 
the  internal  control 
environment  in  the  Navy. 


Further  discussion  of  the 
items  listed  below  are 
contained  in  Volume  3  of  this 
report. 

The  Navy's  System 
Development  Process 
Provides  a  Well- 
Controlled,  Manageable 
Procedure  for  Developing 
ADP  Systems 

NAVDAC's  Initiatives  in 
the  Area  of  the  ADP 
Security  Manual  and  the 
ADP  Inspection  Guide  are 
Positive  Steps  towards  a 
Well-Controlled  ADP 
Operating  Environment 

-  The  Standard  NARDAC 
Organization  Provides  a 
Well-Controlled  Operating 
Environment 

The  Institution  of  a  Test 
and  Acceptance  Group  and 
the  Levels  of  Service 
Concept  Will  Define 
Responsibilities  in  the 
ADP  System  Areas  and 
Permit  Operating 
Standards  to  be  Enforced 

The  Risk  Assessment  Should 
Provide  Increased 
Awareness  in  AES’  Security 
and  Lead  to  a  More 
Controlled  Environment 

Due  to  the  Nature  of  the 
Navy  Environment,  these 
Should  Be  Guidance  Related 
to  Internal  Controls 
Available  to  System  Design 
Agencies 

The  Navy  ADP  System 
Development  Process 
Should  Be  Supported  by 
Increased  Audit  Service 
Involvement  in  the  System 
Development  Process 
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-  The  Audit  Service  Should  Distributed  Systems  on  the  Auditor's  Study 

Write  the  Section  on  the  and  Evaluation  of  Internal  Control)  and 

Naval  Audit  Service  for  Task  5  (Identify  Computer  Auditing 

the  ADP  Security  Manual.  Techniques  Compatible  with  Distributed 

Systems  and  Minicomputer  Technology).  A 
Based  on  our  analysis  of  the  discussion  of  each  is  presented  below: 

Navy  EDP  internal  control 

environment,  and  the  (1)  Task  4  -  Research  the  Impact 

observations  listed  above,  we  of  Distributed  Systems  on  the 

have  rendered  the  following  Auditor's  Study  and  Evaluation 

conclusions:  of  internal  Control 


Developing  Navy  Systems 
Will  Change  the  Nature  of 
Traditional  Audit 
Approaches 

-  There  is  a  Greater  Need  for 
Audit  Involvement  in  the 
System  Development 
Process 

Continuing  Project 
Efforts  will  Emphasize  the 
Impact  of  Distributed 
Systems  on  the  Navy's 
Developing  EDP 
Environment  and  How  the 
Audit  Service  Can  Best 
Serve  the  Navy  in  This 
Situation. 

5.  PROJECT  PLANS 

In  this  section  we  present  our  plans 
for  completion  of  Part  II  (Conduct  Field 
Work)  of  our  research  project.  We  have 
concentrated  our  efforts  on  distributed 
systems  and  internal  controls  in  the  tasks 
just  completed.  In  the  following  tasks 
we  will  focus  on  the  auditor's  study  and 
evaluation  of  internal  controls  and 
evaluate  the  compatibility  of  computer 
audit  techniques  with  distributed  systems 
and  minicomputer  technology.  The  analysis 
of  distributed  systems  and  the 
understanding  of  the  Navy's  ADP 
environment  developed  to  date  will  enhance 
our  efforts  and  provide  a  sound  basis  to 
conduct  future  research.  The  presentation 
of  our  plans  has  been  divided  into  two 
sections:  Task  4  (Research  the  Impact  of 


The  subtasks  associated  with 
this  task,  as  presented  in  Exhibit 
1-1,  require  the  analysis  of  the 
impact  of  distributed  system 
configurations  on  the  auditor's 
scope  and  the  auditing  procedures 
to  be  utilized  in  this  environment. 
We  will  continue  to  utilize  the 
resources  of  Arthur  Young  &  Company 
in  performing  this  analysis.  We 
have  identified  auditors  within  our 
firm  who  have  experienced  the  growth 
of  distributed  systems  and  will 
evaluate  their  views  in  light  of  the 
Navy's  ADP  environment.  We  have  also 
developed  a  working  relationship 
with  Arthur  Young  A  Company's 
National  Computer  Auditing 
Coordinator.  We  feel  his  experience 
with  a  number  of  clients  who  have 
been  confronted  with  these  advanced 
systems  will  benefit  our  analysis. 
We  will  supplement  this  basis  with 
audit  expertise  from  the  audit 
profession  and  the  computer 
industry  as  needed.  Our  approach 
will  remain  flexible  and  react  to 
situations  which  may  develop  during 
our  research.  This  professional 
expertise  will  be  complemented  with 
an  expanded  understanding  of  the 
Naval  Audit  Service,  its  practices 
and  current  procedures.  We  have 
briefly  discussed,  with  several 
members  of  the  Audit  Service,  the 
computer  audit  practices  and 
procedures  currently  utilized.  This 
general  understanding  will  be 
further  developed  to  gain 
additional  insight  into  the  Audit 


Service  and  to  develop 
recommendations  suitable  to  the 
Navy.  This  knowledge  will  also 
benefit  our  Task  5  effort  discussed 
below. 


(2)  Task  5  -  Identify  Computer 
Auditing  Techniques 
Compatible  with  Distributed 
Systems  and  Minicomputer 
Technology 

This  task  is  designed  to 
evaluate  computer  audit  techniques 
in  light  of  advanced  EDP  technology. 
We  will  again  call  on  computer 
auditors  within  Arthur  Young  & 
Company  to  assist  in  the  analysis 
of  various  alternatives.  Our  task 
plan,  presented  in  Exhibit  1-1, 
identifies  the  subtasks  associated 
with  this  effort.  We  will  also 
evaluate  the  applicability  of 
minicomputer  technology  in 
performing  audit  related  functions. 
Upon  completion  of  this  task  our 
field  work  will  be  completed. 


